CISO Series Digest: Eric Johnson on securing the AI frontier

View highlights from our latest CISO Series discussion with Eric Johnson, the CIO of SurveyMonkey, to learn how his organization is handling the deluge of new generative AI tools in the workplace. Chris and Eric’s conversation contains a number of interesting nuggets worth teasing out, with the most important being the need to focus on data visibility and how the new AI era resembles the earliest days of the cloud computing revolution.

How should organizations approach the use of generative AI models

Chris asks Eric what he thinks about the internal deployment of AI models, including which teams to involve in this process, what the risks are, and how to ensure everyone is aligned. At SurveyMonkey, Eric is part of a working group that includes individuals from legal, engineering, security, and privacy so that everyone has a shared understanding of the implications, benefits and risks. Simultaneously, this allows for there to be a single place where requests to use new technologies can be made.

The other key piece of managing risks for Eric is monitoring where data is going, whether to internal or external AI, which is currently carried out by the security team leveraging tools like Cyberhaven.

“That working group has really become the funnel that we feed all requests in...”

– Eric Johnson, CIO, SurveyMonkey

What does the cost-benefit analysis for AI look like?

Cost is a theme that came up during the conversation. In this segment, Eric speaks to how costs for AI may come up. As companies work to make large language models (LLMs) more accurate, training costs will go up in terms of the time commitment to train models and acquiring the data required to train models. For security teams, there will need to be entirely new ecosystems or infrastructure to allow for “AI observability” to ensure the data fed into LLMs is not highly sensitive, and that the model’s behavior does not result in the exposure of highly sensitive data.

“Similar to the analogy you made with the cloud… I don’t think we’re that far behind that same sort of run as we get into generative AI and people start to look at all that infrastructure and question how to manage it. There’s going to be all this follow-on technology to help people manage AI from a data perspective, a security perspective, and a cost perspective.”

– Eric Johnson, CIO, SurveyMonkey

How will AI alter security and privacy policies?

Chris was curious about how new technologies like AI are causing companies like SurveyMonkey to re-evaluate their internal policies. Eric explains that his multi-department working group is studying the technology to better inform how user policies should be updated over time.

“We’re going to have to continue to re-evaluate these things. I do think this is forcing a lot of security folks and CIOs, and even privacy and legal folks out of their comfort zone.”

– Eric Johnson, CIO, SurveyMonkey

Security at the new technological frontier

If you enjoyed this recap, be sure to check out the full session here. Given Chris and Eric’s deep experience in the industry, this was an excellent discussion about how to separate signal from noise and focus on security fundamentals in the face of the ongoing AI revolution. The conversation covered a myriad of topics, including how AI will change the security function, what adoption looks like currently within the enterprise, and much more.

We’re also looking forward to seeing you at the next CISO Series discussion.

‍